This proof of concept implements a REST API for a training provider to manage its training courses. The API is documented in a Postman Collection:
postman.com/dmurygin/training-courses
To build and start the project, the following tools must be installed:
- Git
- Java 21
- Maven
- Clone the repo
git clone https://github.com/murygin/training-courses.git cd training-courses - Compile
./mvnw clean compile
- Run
The application will start on port 8080 by default. You can change the port in the
./mvnw spring-boot:run
application.propertiesfile. The base url ishttp://localhost:8080.
The API is documented in a Postman Collection: postman.com/dmurygin/training-courses
This section contains notes that are important for the further development and operation of this application.
The application is not secure by default. It is important to implement security measures before deploying the application in a production environment.
OWASP
Authentication and authorization
- Authentication: OAuth2 with JWT Tokens, access delegation
- Spring Security
- OAuth2 Authorization Server: Keycloak, Open Source, simple integration of other identity providers
Supply Chain Management
- Dependency update tool: Renovate or Dependabot on GitHub
- Signing artifacts: Docker images, Java archives, etc.
- Automatic checking of security vulnerabilities in the libraries used, in the build tool and also in the runtime environments, e.g. with Trivy
Git
- Git has no built-in secure authentication, so Git commits must be signed
- Gitflow vs. trunk-based development
- Automatic build of Docker images and deployment in Kubernetes environments after completion of the test suite with end-to-end tests
- Build with: GitLab pipelines, GitHub Actions, Jenkins, etc.
- The configuration of the build should be managed together with the source code in the Git repository
- Kubernetes deployment with Helm
- Scalability: is configured in Kubernetes (The Twelve Factors for SaaS apps must be taken into account)
- Unit test for classes that are not simple records
- Multi-level integration tests, for the web or API layer, access to the database or a message queue
- Integration tests and unit tests should be run in different profiles: Fast unit tests for the IDE, quick integration tests for each build on the build server, all integration tests only before a merge
- Code review (by developers) integrated in the build process
- Automatic code analysis: SonarQube
- Code coverage: JaCoCo
- Code formatter and linter integrated into the build tool
- During development, The Twelve Factors must be taken into account from the very beginning
- L ogging agent used in Kubernetes: Fluentd
- ELK Stack: Elasticsearch, Logstash und Kibana
- OpenSearch (Dashboard) (Open Source)
- Grafana (Open Source)
- Prometheus (Open Source)
- Sentry - Application monitoring software
- Datadog - Cloud Monitoring as a Service
- Spring Boot Actuator provides production-ready features such as monitoring and metrics about the running application
With the articles in this section you can learn more about frameworks and systems that are used in this application.
Spring Boot
- Building a “Hello, World” RESTful Web Service
- Building REST services with Spring
- Spring Boot Folder Structure (Best Practices)
- Testing the Web Layer - spring.io
- Spring Boot MockMVC Best Practices
Postman
Misc.
- Which data type would you choose for storing currency values like Trading Price? What’s your opinion about Float, Double and BigDecimal?
- How to store date, time, and timestamps in UTC time zone with JDBC and Hibernate
Daniel Murygin - linkedin.com/in/murygin - daniel.murygin@gmail.com
Project Link: github.com/murygin/training-cources